Friday Mail Sack – Marshmallow Bird Edition
Hi there intarwebz, Ned here. Hopefully you’re at home right now filling up the basket with Peeps for the kids. For those that aren’t, here are this week’s interesting questions from our readers and fellow employees.
Question
I am looking for a newer set of information on Active Directory’s LDAP V3 compliance. This old document is good but it was written when the LDAP V3 RFC was still in review by the IETF. Is there something more up to date I can use to fight the good fight?
Answer
You bet, and boy did we bury it. If you go into MSDN –> Open Specifications –> Windows Protocols –> Windows Communication Protocols –> [MS-ADTS] –> Details –> Common Details –> 3.1.1 Abstract Data Model –> 3.1.1.3 LDAP –> 3.1.1.3.1 LDAP Conformance you will find:
https://msdn.microsoft.com/en-us/library/cc223226(PROT.10).aspx
Which states in robot lawyer talk:
“The purpose of this section is to document how the implementation of Active Directory DCs interprets the LDAPv3 RFCs, including differences from those RFCs. Except as noted in the following subsections, Active Directory is compliant to [RFC3377] . All error codes returned by Active Directory are taken from the resultCode enumeration of the LDAPResult structure defined in [RFC2251] section 4.1.10.”
It covers Win2000, 2003, Win2008, and Win2008 R2 and specifically goes into details of compliance. We also have extended LDAP for AD purposes so we have extra functionality not mandated by the RFC’s.
Enjoy your nap.
Question
I have a Java application that cannot retrieve data from a constructed attribute. Does anything need to be changed in AD to allow this to work?
Answer
If DSA.MSC, ADSIEDIT.MSC, LDP.EXE, LDIFDE.EXE, CSVDE.EXE, Get-AdObject, Joeware tools, DC's, Clients, Users, and the rest of the kitchen sink can all read it, nothing needs to be done with AD. Something needs to be done with the Java code. :-) This is the first thing we hammer into the heads of new engineers here in AD Support – validate with known quantity tools.
Question
Is there any good reason to turn on the “Disable machine account password change” security policy when computers are on a LAN and on all the time?
Answer
Officially, we do not recommend disabling the password changes, just like it says in the Explain tab in policy editor.
However, if you:
- Restore a 31+ day old system state backup
- Change the computer account password more than once with NLTEST and then restore a system state backup
… then the computer would have to be rejoined to the domain. Not having the password change ever would prevent this.
A computer account password getting brute forced is extremely unlikely (it’s ridiculously complex) so having it change every 30 days is mostly paranoia on our part. It is far easier – and thus more likely - that the machine itself gets owned without knowledge of the password, just through a careless user with admin rights or an un-patched security bug elsewhere; having the password change every 30 days would not save you in that scenario.
Again though: officially not recommended. Especially since if your only downside is rejoining the computer to the domain after restoring it from backup. Not exactly the end of the world.
Question
How do I know if the Windows Server 2008-related content is updated on the TechNet? Any other ways can I get updates or alerts via email when the content has been updated ??
Answer
I hope you have a couple terabyte storage arrays lying around, you are looking to get updates from one of the busiest websites in the world. :-) There is no “alert me when TechNet is updated” option, but Craig and his TechNet Wiki pals came up with an interesting way to get this in a “lite” fashion through RSS:
1. Go to https://technet.microsoft.com and search for something broad that you are interested in, like: Windows Server 2008 R2 DFSR
2. This returns a boatload of hits as you might expect. You then refine that into “documentation and articles”. Note though that there’s a little RSS nubbin’ here:
3. If you subscribe to that, you can see new content for those displayed topics when changed. Nifty.
Wooo, and check this out:
Once you install that federated search connector in your Windows 7 client, now you get:
Oh. Em. Gee. That’s cool. We also have one for MSDN.
Web 2.0 is so yesterday. Full client search within Windows Explorer is the future! :-D
Final note
There will not be a Friday Mail Sack next week as I am off to see the Cubs play the Braves in Atlanta on Thursday, and making a weekend of it. For our British, Indian, and Australian readers, baseball is defined as “A cricket-like game that does not take a month to play and does not involve cardigan sweaters”.
Come by and say hi!
- Ned “theriot” Pyle